<!DOCTYPE html>
<html lang="zh-cn">
<head>
	
	<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
	<title>
SSL证书研究之CSR | 
穷折腾</title>
	<link rel="stylesheet" href="/static/css/style.css" />
	<link rel="stylesheet" href="/static/css/pygments.css" />
	<link rel="alternate" type="application/rss+xml" title="RSS" href="http://zqqf16.info/rss.xml" />
</head>
<body>
    <div id="container">
      <div id="main" role="main">
        <header>
		<h1>
SSL证书研究之CSR
</h1>
		</header>

     <nav>
		<span><a title="home page" class="" href="/">home</a></span>
		<span><a title="标签" class="" href="/tags/index.html">标签</a></span>
		<span><a title="订阅" class="" href="/rss.xml">订阅</a></span>
        <span><a href="/pages/about.html" title="关于">关于</a></span>
     </nav>

     <article class="content">
        <section class="post">
            
		<blockquote>
<p>以前用SSL证书的时候对一些概念了解比较模糊，对x.509、pem、csr等一大堆概念没有一个整体的认识。于是下决心仔细研究一番，接下来会写一系列文章，这是第一篇，先介绍一下CSR。</p>
</blockquote>
<h2>基本概念</h2>
<p>CSR全称Certificate Signing Request（证书请求文件），是证书申请者向证书颁发机构（CA）申请证书时需要提供的文件。里面包含了一些申请者的基本信息，比如Common Name、 Organization等。同时也包含了申请者的公钥。</p>
<p>生成CSR的时候一般也会同时生成一个私钥，和csr是配对生效的，如果私钥丢失，那么这个CSR将不会再起作用。</p>
<p>CA收到申请者的CSR之后会进行一系列操作，比如确认申请者信息之类的。然后用自己的私钥给CSR签名，生成证书文件，颁发给申请者。</p>
<p>CSR需要满足pkcs#10语法标准，详情可以参考<a href="http://tools.ietf.org/html/rfc2986">RFC2986</a>。</p>
<h2>生成方法</h2>
<p>首先需要安装openssl，然后：</p>
<div class="codehilite"><pre>openssl req -new -keyout z.key -out z.csr
</pre></div>


<p>这条命令将会生成一个私钥文件z.key，然后生成对应的CSR，需要填写基本信息，比如：</p>
<div class="codehilite"><pre>Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Zzzz
Organizational Unit Name (eg, section) []:dev
Common Name (e.g. server FQDN or YOUR name) []:zqqf16.info
Email Address []:your@email.com

Please enter the following &#39;extra&#39; attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre></div>


<p>打开z.key文件，可以看到私钥，类似这样的：</p>
<div class="codehilite"><pre>-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIj6V2J4snMfMCAggA
MBQGCCqGSIb3DQMHBAgCsEw8GV7nDASCBMhm0VvIGGreMAjQne7gx56nv85HLl/T
e0TWboN4PGlq4lmaWJSE9iYolz.....
.....
-----END ENCRYPTED PRIVATE KEY-----
</pre></div>


<p>这是用PEM(Privacy Enhanced Mail)格式存储的，内容用Base64编码过。同样的，z.csr文件也是类似的格式：</p>
<div class="codehilite"><pre>-----BEGIN CERTIFICATE REQUEST-----
MIIC4jCCAcoCAQAwgYUxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5nMRAw
DgYDVQQHDAdCZWlKaW5nMQ0wCwYDVQQKDARaenp6MQwwCgYDVQQLDANkZXYxFDAS
BgNVBAMMC3pxcWYxNi5p.....
....
-----END CERTIFICATE REQUEST-----
</pre></div>


<p>如果想看CSR的内容可以用</p>
<div class="codehilite"><pre>openssl req -in z.csr -noout -text
</pre></div>


<p>将会输出详细信息</p>
<div class="codehilite"><pre>Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=Zzzz, OU=dev, CN=zqqf16.info/emailAddress=your@email.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:f8:ce:49:05:00:ff:53:5f:50:1a:00:c9:a1:
                    b8:4a:1d:19:c6:50:c3:22:11:30:cb:6f:ea:5e:5e:
                    3b:d9:e1:fa:5f:4b:5a:8a:51:88:1f:82:4f:b9:23:
                    52:de:80:2e:f4:b7:6a:b8:27:62:e7:3c:c1:7f:ef:
                    bb:5e:18:87:17:81:a3:11:f5:8b:25:c2:a3:fb:b2:
                    d9:4b:07:64:5d:93:1e:13:c1:b7:ce:ac:86:42:c2:
                    be:82:8c:76:d9:57:7e:c3:1d:0d:7c:3c:92:ce:0c:
                    ed:18:1f:45:83:28:d9:98:00:c1:b2:85:a7:52:4b:
                    f9:6e:45:f2:76:5f:c1:7d:1e:0d:65:3e:2b:ef:8e:
                    5f:89:83:7c:33:35:37:5b:40:11:48:4a:ec:b7:11:
                    4a:67:75:04:7e:d8:e9:68:ee:81:eb:38:70:a2:0d:
                    4e:d7:42:1c:fe:7e:fc:da:2e:15:69:8e:8f:ed:f6:
                    48:08:73:d1:65:2c:5b:90:52:ba:3c:62:b7:f5:80:
                    74:4b:03:34:5e:16:08:9c:3c:9b:85:47:94:3f:85:
                    ab:4d:d0:cf:7a:4c:ea:fb:50:59:69:2d:f2:93:b6:
                    44:48:a1:06:2c:6f:8b:f5:89:a3:9c:33:37:17:83:
                    40:27:3a:c5:e9:5a:57:5f:4a:e7:71:ba:57:7b:97:
                    e2:09
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :unable to print attribute
    Signature Algorithm: sha1WithRSAEncryption
         01:62:8d:cf:95:9a:99:29:d5:ca:e6:27:19:9f:e6:8f:33:4d:
         16:5e:99:d9:1f:e8:bc:bb:0a:c6:8d:0a:35:68:13:b1:33:91:
         16:22:be:57:a1:59:13:e2:21:fa:1a:c2:ce:dd:c7:44:f6:53:
         ab:ee:bc:4f:78:80:af:37:8d:59:55:5a:cb:9b:3e:8b:dd:9a:
         bd:50:22:b5:23:27:98:31:2d:98:05:c4:1c:bf:fa:49:4a:c2:
         a7:c6:f7:96:ed:4d:11:e7:75:64:54:e3:e7:a3:c3:3e:81:88:
         bb:89:7d:78:e6:06:0b:c4:b7:eb:f1:9f:e8:ff:23:3d:b3:35:
         f9:8f:c1:11:a4:72:55:95:3e:e6:38:d0:93:45:21:9e:77:2e:
         44:b6:43:58:68:5d:91:3a:5d:d3:50:c8:df:57:ba:2b:03:f2:
         43:29:da:9f:2b:c3:f1:10:21:26:b1:5f:bb:b7:9c:0c:1e:da:
         ae:62:09:ef:b1:a3:d6:18:6d:aa:3d:52:a2:af:10:50:69:78:
         94:26:1c:79:7c:ca:4f:a6:a1:37:82:b7:dd:68:8e:f6:ee:e1:
         ec:57:12:44:f5:34:2e:8e:aa:61:91:1f:6a:77:a6:88:fe:9b:
         a2:f5:e9:9a:11:ad:2a:31:d6:72:59:7e:e0:78:9f:b4:3f:af:
         c7:94:34:7f
</pre></div>
	</section>
	<section class="meta">
		<span class="tags">Tagged by 
			<a href="/tags/SSL.html">SSL</a>
			<a href="/tags/CSR.html">CSR</a>
		</span>

		<span class="time">&nbsp;<time datetime="2013-11-01">2013-11-01</time></span>
	</section>
	<!-- Duoshuo Comment BEGIN -->
<div class="ds-thread"></div>
<script type="text/javascript">
	var duoshuoQuery = {short_name:"zqqf16"};
	(function() {
		var ds = document.createElement('script');
		ds.type = 'text/javascript';ds.async = true;
		ds.src = 'http://static.duoshuo.com/embed.js';
		ds.charset = 'UTF-8';
		(document.getElementsByTagName('head')[0] 
		|| document.getElementsByTagName('body')[0]).appendChild(ds);
	})();
</script>
<!-- Duoshuo Comment END -->

<hr/>


        </section>
     </article>
	 <div id="copy">&copy; Powered by <a href="https://github.com/zqqf16/zqqf16.github.com" title="Peanut">Peanut</a> | Themed by <a href="http://lhzhang.com" title="sext ii">sext ii</a></div>
      </div>
    </div> <!--! end of #container -->
	<script>
	  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
			(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
		m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
			})(window,document,'script','//www.google-analytics.com/analytics.js','ga');

	  ga('create', 'UA-41282906-1', 'zqqf16.info');
	  ga('send', 'pageview');
	</script>
</body>
</html>
